Static IPs and firewalls on Fusion service

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
24 posts Page 1 of 3
by chezoxford » Fri Jul 29, 2011 3:26 pm
I've recently signed up for Fusion service with a block of static IPs, but I'm still unable to use switch over because of a problem that seems to be associated with ARP on my firewall. Briefly, my configuration is a Sonic-provided DSL modem in bridge mode connected to one port on my firewall, a Soekris box running m0n0wall. Three other subnets have hosts, printers, etc. (LAN, DMZ, and Wireless). Everything is NATed. Some of the hosts on the LAN and DMZ networks have static IP addresses, some do not; the static addresses are set up for 1:1 NAT and Proxy ARP between the WAN port on the firewall and the appropriate internal addresses. This configuration has worked well for me through two other ISPs, so I know it can work.

What I'm seeing is that the hosts with static IP addresses never make it into the ARP table. By sniffing the ethernet I can see an ECHO-REQUEST packet with the correct IP address come from the firewall (and presumably leave via the DSL line; both the IP address and the MAC address are correct) but I never see an ECHO-REPLY or an ARP WHO-HAS request come back. But if I ping from one of the non-static NATed addresses everything works fine.

It gets weirder. If I attach my laptop outside the firewall and use arping I can trick the DSLAM into thinking that my laptop is one of the other static addresses. Once that happens, a ping from the real host through the firewall does get a response — but of course it comes to my laptop, not the firewall, so it isn't very useful. I tried using –s to spoof the MAC address, but that doesn't work — it uses the MAC address from the ethernet header, not the one in the ARP packet.

So far Sonic's response has been either "ditch the firewall", which I consider to be irresponsible, or "it's not our problem", which isn't very useful. They don't seem to be willing to even look at the packet traces I've generated. Does anyone out there have any better ideas? I would really prefer not to have to return to Speakeasy, but at this point it looks like I'm being forced that way.

eric
by dane » Fri Jul 29, 2011 7:45 pm
While I'm not one of the experts here, I'd say that 1:1 NAT where you have a single MAC serving multiple bridged IPs is likely to be an issue. Instead, consider NAT/PAT behind one of the IPs.

As support says, it like is what it is, so you'll need to work the configuration into a format that works for you.

A typical configuration BTW that I've seen with customers is a modem set to bridge mode, connected to a switch which serves 1) one to seven public-facing servers on public IPs plus 2) an Ethernet router/NAT firewall device for multiple workstations.

-Dane
Dane Jasper
Sonic
by jared » Fri Jul 29, 2011 8:29 pm
Chez,

On Fusion connections, our DSLAMs perform secured ARP to prevent IP misuse. On static IP Fusion circuits, the only way our DSLAM learns an IP/MAC combo is by ARP being generated from either above (our aggregation router ARPs for one of your IPs, and the DSLAM snoops the reply), or below (a host on your network generates an ARP request for it's gateway). Given your description, I'd guess that your firewall isn't generating an ARP request for each of it's 1-1 static NAT IPs on boot, or when those hosts generate traffic. If you can figure out how to configure your firewall to do so, everything should work. You may be able to use arping on your m0n0wall to force an ARP request to be sent to test/verify this.
by chezoxford » Sat Jul 30, 2011 1:37 pm
dane wrote:While I'm not one of the experts here, I'd say that 1:1 NAT where you have a single MAC serving multiple bridged IPs is likely to be an issue. Instead, consider NAT/PAT behind one of the IPs.

As support says, it like is what it is, so you'll need to work the configuration into a format that works for you.
I strongly recommend that you rethink this a bit. I'm using what is a very standard configuration for any business that cares about security. It is certainly what I would recommend as a consultant.
dane wrote:A typical configuration BTW that I've seen with customers is a modem set to bridge mode, connected to a switch which serves 1) one to seven public-facing servers on public IPs plus 2) an Ethernet router/NAT firewall device for multiple workstations.

-Dane
I'm sorry, but putting public-facing servers directly on the net without a firewall strikes me as the height of irresponsibility. I certainly hope that this isn't an indication of Sonic having a casual attitude on security. You do, after all, have my credit card information.

Reasons why putting a server directly on the network is a bad idea: I have some ports on servers that I want to have open internally but not externally (e.g., syslog). It makes it easier for attackers to exploit ports that are opened by random applications. It enables attacks against multiple TCP implementations instead of just one. I'm sure there are more.

In any case, I found a (rather obtuse) workaround, but not one that any average user is ever likely to find. I wrote it up on my blog: http://www.neophilic.com/b2evo/blogs/bl ... do-not-mix

eric
by jrostkow » Sun Aug 07, 2011 4:35 pm
chezoxford wrote: I'm sorry, but putting public-facing servers directly on the net without a firewall strikes me as the height of irresponsibility. I certainly hope that this isn't an indication of Sonic having a casual attitude on security. You do, after all, have my credit card information.
Well, if you didn't have a hardware firewall then it'd be expected you'd have a software firewall running on your server. A good software firewall should be as secure as a hardware firewall, with the disadvantage that it takes up server resources.
by gp1628 » Mon Aug 08, 2011 6:11 am
If a server is not meant for public access then why would you have a static IP at all? My server is meant totally for public use and has for almost a decade. I think I have only had one problem in all that time, and that for only an hour.
by chezoxford » Mon Aug 08, 2011 8:11 am
gp1628 wrote:If a server is not meant for public access then why would you have a static IP at all? My server is meant totally for public use and has for almost a decade. I think I have only had one problem in all that time, and that for only an hour.
I answered this earlier:
Reasons why putting a server directly on the network is a bad idea: I have some ports on servers that I want to have open internally but not externally (e.g., syslog). It makes it easier for attackers to exploit ports that are opened by random applications. It enables attacks against multiple TCP implementations instead of just one. I'm sure there are more.
eric
by Guest » Thu Aug 11, 2011 5:19 pm
I just ran into the same issue. As Jarad's post said, the Sonic server wants to see an arp request from each of the static IP addresses, and the arping program will do it. On my Linux gateway/firewall I setup a cron job that will periodically run arping to send an arp request from each of my static IP addresses. As an example, if my IP addresses are a.b.c.h1, a.b.c.h2, ... and the gateway is a.b.c.1, I have two entries, one to run every 15 minutes, and another
runs once at reboot:

*/15 * * * * root for x in h1 h2 h3 h4 h5 h6 h7 h8 ; do /sbin/arping -q -f -s a.b.c.$x -I eth0 a.b.c.1
@reboot root for x in h1 h2 h3 h4 h5 h6 h7 h8 ; do /sbin/arping -q -f -s a.b.c.$x -I eth0 a.b.c.1
by Richard » Wed Nov 02, 2011 3:28 pm
Is this only an issue with StaticIPs on Fusion service? or also with Sonic's 'Legacy' DSL (e.g. EliteS)?

I'm an AT&T DSL (PPPoE) customer, and am considering the switch to Sonic, and would like to understand what the limitations caused by this issue are ... Sonic's already made it pretty clear that BSD/Linux is not supported, and that answers are to be sought/found here & elsewhere.

Doing some digging, the first few hits on a cursory search,

https://forums.sonic.net/viewtopic.php?f=10&t=241
https://www.neophilic.com/b2evo/blogs/blog4.php/2011/07/30/sonic-net-static-ips-and-firewalls-do-not-mix
http://www.neophilic.com/b2evo/blogs/media/blogs/eric/trick-sonic.txt
https://forums.sonic.net/viewtopic.php?f=10&t=120&p=749&hilit=arp#p749
https://forums.sonic.net/viewtopic.php?f=10&t=107

point to some common issues, and some tortured workarounds. :-/

So, *is* this a bug on Sonic's end? Is is common to both Fusion and Legacy DSL? Is this the right/best workaround?

Thanks,

Richard
by kgc » Thu Nov 03, 2011 10:54 am
Richard wrote:Is this only an issue with StaticIPs on Fusion service? or also with Sonic's 'Legacy' DSL (e.g. EliteS)?
The issues people are reporting here do not affect the Legacy DSL platform.
So, *is* this a bug on Sonic's end? Is is common to both Fusion and Legacy DSL? Is this the right/best workaround?
There is a problem that affect some static IP configurations on the Fusion platform that require the arping work around for the time being. The NOC is aware of this and it is being worked on with our vendors.
Kelsey Cummings
System Architect, Sonic.net, Inc.
24 posts Page 1 of 3

Who is online

In total there are 24 users online :: 0 registered, 0 hidden and 24 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 24 guests